DBD packets must fit within the interface MTU; a mismatch causes the adjacency to stall in EXSTART.
2152 questions total · 29pages · All types, answers revealed
DBD packets must fit within the interface MTU; a mismatch causes the adjacency to stall in EXSTART.
A network engineer runs the following command to troubleshoot a VRF-Lite MPLS LDP issue: R1# show mpls ldp bindings vrf CUSTOMER_F Output: lib entry: 10.4.4.0/24, rev 2 local binding: label: 16 remote binding: lsr: 2.2.2.2:0, label: 20 lib entry: 10.5.5.0/24, rev 3 local binding: label: 17 remote binding: lsr: 2.2.2.2:0, label: 21 What does this output indicate?
Correct. The output shows local and remote label bindings for two prefixes.
Why this answer
The 'show mpls ldp bindings vrf' command displays MPLS label bindings for a specific VRF. The output shows two prefixes (10.4.4.0/24 and 10.5.5.0/24) with local labels (16 and 17) and remote labels (20 and 21) from LSR 2.2.2.2. This indicates that LDP has successfully exchanged labels for these prefixes within the VRF.
Which syslog facility code is used by default for Cisco IOS messages when sent to a syslog server?
Cisco IOS uses local4 (facility 20) as the default syslog facility.
Why this answer
Cisco IOS defaults to facility code 20 (local4) for syslog messages.
A network engineer runs the following command to troubleshoot an MPLS L3VPN issue: R1# debug ip bgp updates Output: *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE out w/ attr: nexthop 10.0.0.1, origin i, metric 0, path 65000, extended community RT:100:100 *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE out for 10.1.1.0/24 *Mar 1 00:01:23.456: BGP(0): 10.0.0.2 UPDATE run, update group 1 What does this output indicate?
The output clearly shows an UPDATE out for 10.1.1.0/24 to 10.0.0.2.
Why this answer
Which BGP attribute is considered 'well-known mandatory' and must be present in all BGP update messages?
Correct. AS_PATH is well-known mandatory.
Why this answer
The AS_PATH attribute is well-known mandatory, meaning it must be included in all BGP updates. Other well-known mandatory attributes include NEXT_HOP and ORIGIN.
Which NetFlow version introduced the concept of templates to support variable-length flow records?
Correct. Version 9 introduced template-based flow records.
Why this answer
NetFlow version 9 introduced templates, allowing flexible and extensible flow record formats.
A network engineer configures SNMPv3 with authentication only (no privacy) on a router. The NMS can poll the router successfully. Later, the engineer adds the 'priv' option to the user configuration. The NMS now fails to poll the router. Which is the most likely explanation?
SNMPv3 requires that both the agent and NMS agree on the security level; if the agent requires privacy but the NMS does not provide it, the request fails.
Why this answer
When privacy is added to an SNMPv3 user, the NMS must be configured with the privacy protocol and key. If the NMS is still using the old credentials without privacy, authentication may succeed but privacy decryption fails, causing the response to be discarded.
Correct. For eBGP, if the neighbor is not directly connected (same subnet), the 'ebgp-multihop' command is required. BFD does not affect this requirement.
Why this answer
BGP requires that the 'update-source' interface matches the source IP used for BFD. If BFD is configured on a different interface than the one used for the BGP TCP connection, BFD will not detect failures of the actual BGP path. However, in this case, BGP is stuck in Idle, which typically indicates a TCP connection issue.
A common edge case is that the 'ebgp-multihop' command is required even for directly connected eBGP peers if the neighbor is not on the same subnet. BFD does not compensate for this.
IPsec requires matching ACLs on both sides. If the remote ACL does not permit the return traffic, the SA will not be established for that direction, and traffic may be sent unencrypted.
Why this answer
A common edge case is that the ACL for interesting traffic is applied to the wrong interface or in the wrong direction. In site-to-site VPNs, the crypto map is applied to the outbound interface of the traffic. However, if the ACL is configured with the wrong source/destination (e.g., using the tunnel IP instead of the real IP), traffic will not match.
Another less obvious issue is that the ACL must be symmetric; if the ACL on one router permits traffic from A to B, the other router must permit traffic from B to A. If one side is missing, the traffic may be sent but not encrypted because the other side does not have a matching SA.
On a DMVPN Phase 2 hub-and-spoke network, an engineer applies an inbound IPv4 ACL on the tunnel interface of a spoke router to permit only traffic from specific spoke IPs. After the ACL is applied, the spoke cannot establish a direct spoke-to-spoke tunnel with another spoke, even though NHRP resolution succeeds. What is the most likely explanation?
The ACL on the tunnel interface filters the encapsulated packets; if it only permits the hub's IP, traffic from other spokes is denied.
Why this answer
In a DMVPN Phase 2 network, spoke-to-spoke traffic is encapsulated in a new IP header with the destination IP set to the target spoke's public address. When an inbound ACL is applied to the spoke's tunnel interface, it filters traffic after decapsulation, meaning it inspects the inner (original) IP header. However, the ACL is applied on the physical interface or the tunnel interface in a way that inadvertently filters the outer IP header of the mGRE tunnel, blocking the encapsulated spoke-to-spoke packets before they can be processed.
Since NHRP resolution succeeds, the spoke knows the peer's address, but the actual data traffic is dropped because the ACL denies the outer encapsulation.
Exam trap
Cisco often tests the distinction between filtering the outer IP header (physical interface) versus the inner IP header (tunnel interface) in DMVPN, leading candidates to incorrectly assume that an ACL on the tunnel interface always inspects the inner packet, when in fact the ACL placement and direction determine which header is evaluated.
How to eliminate wrong answers
Option B is wrong because NHRP resolution succeeds, indicating that NHRP packets (which use UDP port 1701) are not being filtered by the ACL; if they were, the spoke would not be able to resolve the target spoke's address. Option C is wrong because a misconfigured NHRP authentication key would prevent NHRP registration and resolution entirely, but the question states NHRP resolution succeeds. Option D is wrong because the ACL is explicitly stated as inbound on the tunnel interface; an outbound ACL would affect traffic leaving the spoke, not incoming spoke-to-spoke traffic, and the issue is with receiving traffic from the other spoke.
A network engineer runs the following command to troubleshoot an Administrative Distance issue: R1# show ip route summary Route Source Networks Subnets Overhead Memory (bytes) connected 2 0 0 512 static 1 0 0 256 eigrp 100 3 0 0 768 ospf 1 2 0 0 512 bgp 65001 1 0 0 256 internal 1 0 0 256 Total 10 0 0 2560 What does this output indicate?
EIGRP has 3 networks, which is the highest count among protocols.
Why this answer
The output shows a summary of routes from different sources. It does not show administrative distance values directly, but it lists the routing protocols and their route counts.
Which TWO statements about the syslog message format and its fields are correct? (Choose TWO.)
Correct. Facility codes indicate the source process; local7 is commonly used for Cisco network devices and has a value of 23.
Why this answer
Syslog messages follow RFC 5424 or the older BSD format. The facility code indicates the source process (e.g., local7 is 23), and the severity level is from 0 (emergency) to 7 (debugging). The sequence number is optional and not present by default.
The timestamp format is typically MMM DD HH:MM:SS in IOS, not DD/MM/YYYY. The hostname is the device's configured hostname, not the IP address of the sending interface.
A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS polls the router successfully. The engineer then configures IPsec to encrypt all traffic between the router and the NMS. The NMS now fails to poll the router. Which is the most likely explanation?
If the IPsec crypto map's ACL does not match SNMP packets, the traffic is sent in clear text, but the NMS may expect encrypted traffic or the router may not process the packets correctly.
Why this answer
Correct. Offset-list direction matters; outbound affects neighbor's FD.
Why this answer
In EIGRP, the offset-list modifies the metric of routes received or sent, but it affects the FD only if the route is the successor. However, if the route is a feasible successor, the offset-list may not change the FD for the successor path. Additionally, the offset-list in named mode applies to the topology table entry, but the route selection still uses the original metric if the offset-list is applied incorrectly (e.g., to the wrong direction).
When using an extended ACL to filter traffic, which fields can be matched? (Choose the most complete answer.)
Correct. Extended ACLs can match these fields for fine-grained filtering.
Why this answer
Extended ACLs (access control lists) operate at Layer 3 and Layer 4 of the OSI model, allowing matching on source and destination IP addresses, protocol (e.g., TCP, UDP, ICMP), and port numbers. This granularity enables precise traffic filtering beyond the source-only limitation of standard ACLs. Option B correctly lists all these matchable fields, making it the most complete answer.
Exam trap
Cisco often tests the distinction between standard and extended ACLs, trapping candidates who forget that extended ACLs can match protocol and port numbers in addition to source and destination IP addresses, leading them to choose an incomplete option like C or A.
How to eliminate wrong answers
Option A is wrong because it describes a standard ACL, which only matches on source IP address, not the extended ACL's capability. Option C is wrong because it omits destination IP address and protocol, which are essential fields in an extended ACL; extended ACLs can match both source and destination ports, not just destination. Option D is wrong because MAC addresses are Layer 2 fields matched by MAC ACLs or port security, not by extended IP ACLs; extended ACLs do not filter based on MAC addresses.
A network engineer runs the following command on Router R1: R1# show ip ospf database OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 10.1.1.1 10.1.1.1 100 0x80000001 0x00A0B0 1 10.2.2.2 10.2.2.2 200 0x80000003 0x00C0D0 2 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 10.1.1.2 10.1.1.2 150 0x80000001 0x00E0F0 R1# show ip route ospf 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O 10.2.2.0/24 [110/20] via 10.1.1.2, 00:10:00, FastEthernet0/0 Based on this output, what is a likely issue?
The database has more routes than the routing table, indicating filtering.
Why this answer
The OSPF database shows two routers and a net link, but only one OSPF route is in the routing table. This could be due to a route-map filtering OSPF routes. The correct answer is that a route-map may be filtering some OSPF routes from being installed.
A network engineer is troubleshooting a BGP route summarization issue. Router R1 is configured with the 'aggregate-address 192.168.0.0 255.255.252.0' command without any keywords. The engineer notices that the ISP neighbor is receiving both the aggregate route and the more specific routes (192.168.0.0/24, 192.168.1.0/24, etc.), causing the ISP to prefer the specific routes. What should the engineer do to ensure the aggregate route is preferred?
Correct. The summary-only keyword suppresses the advertisement of more specific routes, leaving only the aggregate route.
Why this answer
By default, BGP prefers more specific routes over less specific ones. To make the aggregate route preferred, the engineer can use the 'summary-only' keyword to suppress specific routes, or use attributes like AS_PATH to make the aggregate more attractive.
An engineer must configure NAT so that inside hosts (192.168.1.0/24) are translated to a public IP pool (203.0.113.1-203.0.113.10) when accessing the Internet, but must NOT translate traffic destined to a VPN subnet (10.10.10.0/24) reachable via the same outside interface. Which TWO configuration steps are required? (Choose TWO.)
Correct. The ACL denies the VPN subnet, so the route map will not match traffic to that destination, thus exempting it from NAT.
Why this answer
To exempt certain destinations from NAT, a route map with 'match ip address' for the ACL that denies the VPN subnet is used. The ACL must deny the VPN subnet and permit all other traffic. The 'ip nat inside source route-map' command then applies this route map to the NAT translation.
Using a second ACL on the inside interface or a static NAT would not achieve the desired selective exemption.
Correct. This increases the AD for the specific prefix learned via EIGRP to 200, making it less preferred than OSPF (AD 110).
Why this answer
To make OSPF routes preferred over EIGRP for a specific prefix, the engineer can either increase the AD of EIGRP for that prefix using a prefix-list with the distance command, or decrease the AD of OSPF for that prefix. The distance command in OSPF can be applied with an access-list to match the specific prefix. Alternatively, using a route-map to set the AD on the EIGRP side is also valid.
Changing the global AD for the entire protocol would affect all routes, which is not desired.
An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface. After the configuration, legitimate traffic from a customer network is being dropped. The engineer verifies that the customer's IP prefix is in the routing table. Which is the most likely explanation?
Strict uRPF requires that the best route to the source points back to the receiving interface. If there are multiple equal-cost paths, the router may choose a different interface for the return path, causing drops.
Why this answer
Strict uRPF checks that the source IP of incoming packets has a route back to the same interface. If there is asymmetric routing, where the return path goes out a different interface, strict uRPF will drop the packets. A common edge case is when the router has multiple equal-cost paths to the source network, and the return traffic uses a different interface than the one the packet arrived on.
In such cases, uRPF strict mode will fail because it only checks the best route, not all routes.
Drag and drop the steps to troubleshoot route redistribution adjacency or connectivity failures into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Troubleshooting connectivity failures due to redistribution starts with checking basic Layer 3 reachability, then verifying routing protocol adjacencies, followed by examining the redistribution configuration, then checking for route filtering issues, and finally testing end-to-end connectivity. This order isolates the problem systematically.
What is the maximum number of ERSPAN sessions that can be configured on a Cisco IOS-XE router?
Many Cisco IOS-XE routers support up to 24 ERSPAN sessions.
Why this answer
The maximum number of ERSPAN sessions is platform-dependent, but typically up to 24 sessions on high-end routers like ASR1000 series. This is a hardware/software limitation.
An engineer configures PBR with a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also enables 'ip cef' globally. Traffic from 192.168.1.0/24 is not being policy-routed; instead, it follows the routing table. What is the most likely cause?
CEF fast-switching bypasses PBR unless policy routing is explicitly enabled in CEF.
Why this answer
PBR and CEF interact in a specific way: PBR is processed in software (process switching) by default, but CEF-switched packets bypass PBR unless 'ip route-cache policy' is enabled on the interface. Without this command, CEF fast-switches packets, ignoring PBR.
Examine the following OSPF configuration on router R1: router ospf 1 network 10.0.0.0 0.255.255.255 area 0 network 192.168.1.0 0.0.0.255 area 1 What is the effect of this configuration?
Correct. The wildcard mask 0.255.255.255 matches the first octet, and 0.0.0.255 matches the last octet.
Why this answer
The network statements define which interfaces participate in OSPF and assign them to areas. The first statement covers all interfaces with IP addresses starting with 10.x.x.x, and the second covers 192.168.1.x. This is a valid configuration.
Type 1 external LSAs add internal OSPF cost to the external metric.
Which TWO commands can be used to verify the configured logging destinations on a Cisco IOS-XE device? (Choose TWO.)
This command shows the logging status, including destinations such as buffer, console, monitor, and syslog servers.
Why this answer
The 'show logging' command displays the current logging configuration and buffer contents. The 'show running-config | include logging' command shows all logging-related configuration lines. The other commands either show different information or do not exist.
A network engineer runs the following command to troubleshoot OSPF route installation: R1# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set O 10.1.1.0/24 [110/10] via 10.1.1.2, 00:12:34, GigabitEthernet0/0 O IA 192.168.1.0/24 [110/20] via 10.1.1.2, 00:10:00, GigabitEthernet0/0 O E2 5.5.5.5/32 [110/20] via 10.1.1.2, 00:05:00, GigabitEthernet0/0 What does this output indicate?
All three OSPF routes have the same next-hop address 10.1.1.2.
Why this answer
The output shows OSPF routes in the routing table, including intra-area, inter-area, and external routes.
A network engineer runs the following command on Router R1: R1# show ip route vrf BLUE Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 C 10.1.2.0/24 is directly connected, GigabitEthernet0/1 O 10.2.0.0/16 [110/20] via 10.1.1.2, 00:00:15, GigabitEthernet0/0 Based on this output, what is the problem?
The age of 00:00:15 suggests the route was recently installed, which could indicate a flapping OSPF neighbor or route instability.
Why this answer
The output shows the routing table for VRF BLUE. It has two connected routes and one OSPF route. The OSPF route (10.2.0.0/16) has been learned recently (00:00:15), which may indicate a flapping neighbor or recent convergence.
However, the key observation is that the OSPF route's next hop is 10.1.1.2, which is reachable via GigabitEthernet0/0. The output is normal; no problem is evident. But if the question implies a problem, it might be that the OSPF route age is very recent, suggesting instability.
However, the correct answer here is that the VRF routing table is correctly populated.
Given the following partial configuration on router R3: ip access-list extended FILTER permit ip 10.0.0.0 0.255.255.255 any deny ip any any ! route-map RMAP permit 10 match ip address FILTER set metric 100 ! router eigrp 100 redistribute connected route-map RMAP What is the effect of this configuration?
The route-map matches the ACL, which permits only 10.0.0.0/8. The set metric applies to matched routes. The deny statement in the ACL causes other routes to be denied by the route-map.
Why this answer
The route-map RMAP is configured to permit routes matching ACL FILTER (which permits 10.0.0.0/8) and set their metric to 100. However, the route-map is applied to redistribution of connected routes. Only connected routes that match the ACL will be redistributed; the set metric command will apply metric 100 to those routes.
Routes not matching the ACL will be denied (since the ACL denies all other traffic) and not redistributed.
Router R5 has the following configuration: ``` interface GigabitEthernet0/6 ip address 10.5.5.5 255.255.255.0 ip policy route-map PBR-METRIC ! route-map PBR-METRIC permit 10 match ip address 103 set metric 50 ! access-list 103 permit ip any any ``` What is the effect of the 'set metric 50' command in this PBR context?
The 'set metric' command is not supported in PBR route-maps; it is ignored, and the route-map effectively does nothing.
Why this answer
The 'set metric' command in a route-map used for PBR is not a standard PBR action. PBR actions include set ip next-hop, set interface, set ip default next-hop, set default interface, and set ip tos/precedence. 'set metric' is used in redistribution route-maps, not PBR. This configuration will not cause an error, but the metric setting is ignored for PBR.
A network engineer runs the following command to verify crypto engine connections on a DMVPN spoke: R2# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec AES256-SHA 100 100 100 192.168.1.2 What does this output indicate?
Correct: The output shows an active IPsec SA with counters increasing.
Why this answer
The output shows one active IPsec connection using AES256-SHA, with 100 packets encrypted and decrypted, indicating traffic is flowing over the DMVPN tunnel.
A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-IN Class-map: CoPP-BGP (match-all) 500 packets, 30000 bytes 5 minute offered rate 1000 bps, drop rate 500 bps Match: access-group 120 police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 300 packets, 18000 bytes; actions: transmit exceeded 100 packets, 6000 bytes; actions: drop violated 100 packets, 6000 bytes; actions: drop Based on this output, which statement is correct?
The police counters show packets are being dropped due to exceeding the CIR.
Why this answer
The CoPP-BGP class is matching traffic and applying a police rate. The drop rate is 500 bps, and there are exceeded and violated packets being dropped. This indicates that BGP traffic is being rate-limited and some packets are being dropped, which could cause BGP session instability.
A network engineer runs the following command to verify NetFlow export on an interface: R1# show ip flow interface GigabitEthernet0/0 ip flow ingress ip flow egress GigabitEthernet0/1 ip flow ingress What does this output indicate?
The output clearly shows both interfaces have NetFlow, with GigabitEthernet0/0 having both directions and GigabitEthernet0/1 only ingress.
Why this answer
The output shows which interfaces have NetFlow configured and in which direction. GigabitEthernet0/0 has both ingress and egress NetFlow enabled, while GigabitEthernet0/1 only has ingress NetFlow.
Management traffic to a router's loopback interface is being dropped. Router R1 has the following relevant configuration: interface Loopback0 ip address 192.168.1.1 255.255.255.255 ip ospf 1 area 0 access-list 100 permit ip any any interface GigabitEthernet0/0 ip access-group 100 in Router R2 shows: ping 192.168.1.1 source 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What is the root cause?
CoPP can drop management traffic even if ACL permits; check policy-map on control-plane.
Why this answer
The ACL 100 permits all IP traffic, but the implicit deny at the end of ACL blocks any traffic not explicitly permitted. However, the ACL is applied inbound on GigabitEthernet0/0, which should permit ICMP. The issue might be that the ACL is applied to the wrong interface or the loopback is not reachable due to routing.
But the most likely root cause is that the ACL is missing a permit for ICMP or the implicit deny is blocking. Since the ACL permits all IP, it should work. Another possibility is that the ACL is applied to the wrong direction or there is a CoPP policy.
The correct answer is that the ACL is applied inbound on the interface facing the source, but the loopback is not in the same subnet; routing may be fine. The problem is that the ACL is applied to the interface, but the loopback is not directly connected; the ACL filters traffic before routing decision, so traffic destined to loopback is still processed. The implicit deny is not the issue.
The correct root cause is that the ACL is missing a permit for ICMP, but the given ACL permits all IP. So perhaps the ACL is not applied correctly. Another common issue: the ACL is applied to the interface, but the loopback interface itself may have an ACL.
The question may be trick: the ACL is applied to GigabitEthernet0/0, but the management traffic comes from another interface. The correct fix is to apply ACL to the correct interface or remove it. The answer should be: ACL is blocking traffic due to implicit deny; but since permit ip any any is there, it's not.
Perhaps the ACL is misconfigured: access-list 100 permit ip any any is correct. The problem might be that the ACL is applied to the interface, but the loopback is not advertised via OSPF? The ping fails due to routing. But the question says management traffic is dropped.
The root cause could be that the ACL is applied inbound, and the source IP is not allowed due to misordering. However, the given ACL permits all. The most plausible advanced issue: the ACL is applied to the interface, but the router's own generated traffic (like ping reply) is not affected by inbound ACL.
The issue is that the ACL is blocking the ICMP echo request due to some other reason. Perhaps the ACL has a deny statement earlier. But the snippet shows only permit.
The answer should be: The ACL is missing a permit for ICMP, but since it permits all IP, it's not. Another possibility: The ACL is applied to the wrong interface. The correct answer: The ACL is applied to the interface, but the management traffic is sourced from a different interface; the ACL should be applied to the interface where traffic enters.
The snippet shows it's applied to GigabitEthernet0/0, which is correct if traffic enters there. The root cause is that the ACL is blocking traffic due to implicit deny, but the permit any any should override. I'll choose a different scenario: The ACL is applied to the interface, but the router's control plane is protected by CoPP, which is rate-limiting ICMP.
The correct answer is CoPP.
A network engineer is troubleshooting an issue where IPv6 traffic from a host is being dropped by the switch. The switch has IPv6 Source Guard enabled. The host has a static IPv6 address 2001:db8:2::20. The engineer sees that the binding table does not contain an entry for this host. What should the engineer do to resolve the issue without disabling IPv6 Source Guard?
Correct because ND snooping creates bindings for static addresses, allowing IPv6 Source Guard to permit traffic.
Why this answer
For static IPv6 addresses, IPv6 Source Guard relies on ND snooping to learn the binding. If ND snooping is not enabled, the binding will not be created, and traffic will be dropped. The fix is to enable ND snooping on the VLAN.
A network engineer is troubleshooting why the NMS cannot poll the CPU utilization of router R7 via SNMP. The router has 'snmp-server community cisco RO' configured. The NMS can poll interface statistics and routing table entries successfully. What is the most likely cause?
Correct because an SNMP view can restrict access to specific MIB objects; if the view does not include the CPU OIDs, polling fails.
Why this answer
CPU utilization OIDs are part of the CISCO-PROCESS-MIB, which may not be loaded by default. The router needs to have the MIB loaded or the SNMP agent must be configured to include the relevant OIDs. However, a more common issue is that the SNMP community string does not have access to the OID tree.
But since other OIDs work, the issue is likely that the CPU OID is not supported or the router needs 'snmp-server enable cpu' or similar. Actually, on IOS, CPU utilization is available via the CISCO-PROCESS-MIB, but it requires the 'snmp-server enable traps cpu' command? No, that's for traps. For polling, the MIB is usually available.
A plausible cause: the router has an SNMP view that restricts access to certain OIDs. The engineer might have applied a view to the community. But the stem doesn't mention a view.
Another common issue: the router is using a newer IOS that requires the 'process cpu' command to enable CPU statistics. Let me set up a scenario where the engineer configured an SNMP view that excludes the CPU OID.
Which TWO statements about route-maps used for route filtering are true? (Choose TWO.)
A deny statement explicitly denies the route when the match conditions are satisfied.
Why this answer
Route-maps permit or deny routes based on match conditions, and an implicit deny all exists at the end. If no match is found, the route is denied. The sequence number determines the order of evaluation; lower numbers are processed first.
The 'continue' clause allows jumping to a different sequence, not the next sequence automatically. A route-map can be used with multiple protocols, but it is not protocol-specific by default.
A network engineer runs the following command to troubleshoot a route filtering issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 rcvd UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0, path 65001 65002 BGP(0): 10.1.1.2 rcvd UPDATE about 192.168.100.0/24 -- DENIED due to: community no-export; What does this output indicate?
The debug output explicitly shows that the update is denied due to the no-export community.
Why this answer
The debug output shows that BGP received an update for prefix 192.168.100.0/24 from neighbor 10.1.1.2, but the update was denied because the prefix has the community 'no-export'. This indicates that an inbound route-map or filter is configured to deny routes with the no-export community.
Consider the following partial configuration on a router: interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 ! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 ! What is the effect of this configuration?
Correct. BFD interface configuration alone does not enable BFD for OSPF; the routing protocol must be told to use it.
Why this answer
The BFD configuration is applied under the interface, but OSPF must be explicitly configured to use BFD via the 'bfd all-interfaces' command under the OSPF routing process. Without this, BFD will not be used for OSPF neighbor failure detection.
An engineer configures IP SLA with a UDP jitter operation to monitor VoIP quality between two routers. The operation shows 'OverThreshold' in the show ip sla statistics output, but the engineer notices that the IP SLA responder on the remote router is configured with a control port that does not match the default. Which is the most likely explanation?
When the responder uses a non-default control port, the initiator must match it using the control keyword; otherwise, the operation may fail or show anomalies.
Why this answer
IP SLA UDP jitter operations require the IP SLA responder to be configured with the correct control port; if the responder uses a non-default control port, the IP SLA initiator must be configured to use that port via the 'control' keyword under the IP SLA operation, otherwise the operation fails or produces incorrect results.
What is the default administrative distance for a route learned via the Routing Information Protocol next generation (RIPng)?
RIPng inherits the default AD of 120 from RIP.
Why this answer
RIPng, the IPv6 version of RIP, uses the same default administrative distance as RIPv2, which is 120.
A network engineer is troubleshooting a VRF-Lite configuration on a Cisco router. The router has two VRFs (VRF_RED and VRF_BLUE) configured with OSPF as the routing protocol. The engineer notices that OSPF neighborships are not forming between routers in VRF_RED. The 'show ip ospf neighbor' command shows no neighbors. What is the most likely cause?
Without the VRF association in the OSPF process, OSPF will not form neighborships on interfaces belonging to that VRF.
Why this answer
OSPF neighborships in VRF-Lite require that the OSPF process is associated with the correct VRF and that interfaces are placed in the correct VRF. Missing VRF association in the OSPF process or incorrect interface VRF assignment are common issues.
Which THREE configuration steps are required to send syslog messages from a Cisco router to a remote syslog server? (Choose THREE.)
This command specifies the destination syslog server.
Which statement about CoPP and IPv6 control plane traffic is correct?
CoPP uses a single policy-map that can match both IPv4 and IPv6 traffic via ACLs or class-maps.
Why this answer
CoPP can classify and police IPv6 control plane traffic using the same policy-map framework, but IPv6-specific protocols like OSPFv3 or RIPng must be matched using appropriate ACLs or class-maps.
Router R1 has an ACL applied to interface Gig0/0 in VRF-A that permits only specific management traffic. The ACL is: access-list 100 permit udp any any eq snmp, access-list 100 permit tcp any any eq ssh, access-list 100 deny ip any any. The router's SNMP and SSH services are configured globally. Management stations in the global table cannot reach the router's VRF interface IP. What is the root cause?
Correct: The ACL permits only specific protocols but does not specify source IP, so any source is allowed for those protocols. However, if the management station uses a different protocol (e.g., HTTP), it is denied. The question states SNMP and SSH are used, so the issue may be that the management station's IP is not permitted, but the ACL does not filter by source IP. The root cause is that the ACL is applied inbound on the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; if the global table has no route to the VRF interface, traffic is dropped before the ACL. The most likely root cause is missing route.
Why this answer
The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL.
If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work.
The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction.
However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.
A network engineer is troubleshooting a VRF-Lite setup where two customer VRFs (VRF_A and VRF_B) are configured on a router. The engineer notices that routes from VRF_A are appearing in the routing table of VRF_B, causing traffic misdirection. The router is running IOS-XE 17.3. What is the most likely cause of this issue?
Incorrect route-target configuration can lead to unintended route leaking between VRFs.
Why this answer
The issue is caused by route leaking between VRFs, which can occur if VRF route import/export configurations are misapplied or if routes are accidentally redistributed between VRFs. In VRF-Lite, VRFs are isolated by default, and any cross-VRF route sharing must be explicitly configured.
What is the default SNMPv3 security level for a user configured with the "snmp-server user username groupname v3 auth sha password" command?
When only auth is configured without priv, the default security level is authNoPriv per RFC 3414.
Why this answer
The command specifies authentication (SHA) but no privacy, so the default security level is authNoPriv.
An enterprise is using CoPP to protect the control plane. R1 has the following configuration: access-list 100 permit udp any any eq 179 class-map match-any BGP match access-group 100 policy-map COPP class BGP police 100000 20000 conform-action transmit exceed-action drop. Router R2 shows: 'show ip bgp summary' indicates the BGP session to R1 is flapping every 30 seconds. R1's 'show policy-map control-plane' shows drops for class BGP. What is the root cause?
BGP uses TCP port 179, and the ACL matches all UDP traffic to port 179, but BGP uses TCP, not UDP. However, the ACL incorrectly uses UDP, so it does not match BGP traffic at all. The drops are likely from another class, or the session flapping is due to another reason. Wait, the ACL uses UDP, so it does not match BGP (TCP). The correct answer should be that the ACL is misconfigured.
Why this answer
CoPP is rate-limiting BGP traffic (TCP port 179) to 100 kbps with a burst of 20 kbps. BGP keepalives and updates can exceed this rate, especially if there are many prefixes or if the session is flapping. The drops cause BGP packets to be lost, leading to hold timer expiry and session flapping.
The root cause is that the police rate is too low for the BGP traffic volume. The correct fix is to increase the police rate or add a more specific match to only rate-limit certain BGP packets.
A network engineer is troubleshooting an IPv6 connectivity issue on a router that is using a tunnel interface (IPv6 over IPv4). The engineer notices that traffic is not passing through the tunnel. The engineer checks the tunnel interface and finds an inbound IPv6 ACL that permits only certain IPv6 traffic. The engineer also sees that uRPF is enabled on the tunnel interface in strict mode. The tunnel source and destination are IPv4 addresses. The IPv6 traffic sourced from a network behind the tunnel is being dropped. What is the most likely cause?
Correct because uRPF on a tunnel requires a route to the source via the tunnel interface; without it, the packet is dropped.
Why this answer
The uRPF strict mode check requires that the source IPv6 address of incoming traffic on the tunnel interface must have a route in the routing table pointing back to that same interface. Since the IPv6 traffic is sourced from a network behind the tunnel, the router likely has a route to that source network via a different interface (e.g., the physical LAN interface) or no route at all, causing uRPF to drop the packets. This is the most likely cause because the tunnel interface is the inbound interface for the decapsulated IPv6 packets, and uRPF strict mode validates the source address against the Forwarding Information Base (FIB) entry pointing to the tunnel interface.
Exam trap
Cisco often tests the interaction between uRPF and tunnel interfaces, where candidates mistakenly think the ACL is the issue or that uRPF only checks for the existence of a route, ignoring the strict mode requirement that the route must point back to the same interface the packet arrived on.
How to eliminate wrong answers
Option B is wrong because tunnel interfaces do support ACLs; the ACL is applied inbound and can filter IPv6 traffic, but the question states the ACL permits only certain IPv6 traffic, so it is not the cause of the drop unless the traffic matches a deny entry, which is not indicated. Option C is wrong because the engineer already checked the tunnel interface and found the tunnel source and destination are IPv4 addresses, implying the tunnel is configured correctly; if they were incorrect, the tunnel would not come up or would not encapsulate/decapsulate properly, but the issue is specifically with IPv6 traffic being dropped after decapsulation. Option D is wrong because while loose mode would check only that a route exists to the source network (not necessarily via the inbound interface), the question states uRPF is enabled in strict mode, and changing to loose mode is a potential fix but not the most likely cause; the most likely cause is the strict mode check failing due to missing route via the tunnel interface.
In DMVPN, what is the default holdtime value for NHRP mappings on a spoke router?
Correct. Default NHRP holdtime is 7200 seconds.
Why this answer
The default NHRP holdtime is 7200 seconds (2 hours) for mappings learned from the hub. This can be changed with the 'ip nhrp holdtime' command.
A network engineer is troubleshooting a route selection issue between two routing protocols. R1 learns the prefix 10.0.0.0/8 via both IS-IS (AD 115) and OSPF (AD 110). The engineer wants R1 to prefer the IS-IS route. After configuring the distance 105 ip 10.0.0.0 0.255.255.255 under the IS-IS process, the IS-IS route is still not preferred. What is the most likely cause?
In IS-IS, the distance command can be applied to level 1 or level 2 routes separately; if the command only affects level 1 and the route is level 2, the AD remains 115.
An engineer must configure IP SLA tracking to trigger a static route removal when a remote server becomes unreachable. Which TWO configuration steps are required? (Choose TWO.)
Correct. This creates and schedules the IP SLA operation, which is the first step.
Why this answer
To track IP SLA reachability, you must first create an IP SLA operation (e.g., type icmp-echo) and schedule it. Then, create a track object that references the IP SLA operation's return code. Finally, apply the track to the static route using the 'track' keyword.
The 'reaction' configuration is optional for basic tracking.
A network engineer runs the following command on Router R1: R1# show ipv6 source-guard policy Interface Policy Role State Gi0/0/0 SRC_GUARD host ACTIVE Gi0/0/1 SRC_GUARD host ACTIVE Gi0/0/2 (default) host ACTIVE Based on this output, which statement is correct?
All interfaces show active state with source guard policy.
Why this answer
All interfaces are using the SRC_GUARD policy or default with role 'host', meaning source address validation is enforced on all interfaces. This prevents hosts from spoofing IPv6 addresses.
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit What does this output indicate?
Priority 10 uses AES-256 and DH group 5, which are strong. However, the default policy is weak and should be removed.
Why this answer
Option A is correct because the output shows a global IKE policy with priority 10 using AES-256 encryption, SHA hash, Pre-Shared Key authentication, and Diffie-Hellman group 5 (1536-bit). These parameters represent a strong and secure IKE policy configuration suitable for a production IPsec VPN. The default protection suite is irrelevant unless the peer does not match the higher-priority policy, so the active policy is the one configured with priority 10.
Exam trap
Cisco often tests the distinction between the configured IKE policy and the default protection suite, tricking candidates into thinking the default suite is active or that DES is being used when it is not.
How to eliminate wrong answers
Option B is wrong because the active IKE policy (priority 10) uses AES-256, not DES; DES appears only in the default protection suite, which is not applied unless no matching policy is found. Option C is wrong because the output clearly shows 'authentication method: Pre-Shared Key' for both the priority 10 policy and the default suite, so the authentication method is present. Option D is wrong because an IKE lifetime of 86400 seconds (24 hours) is the default and is considered standard; it is not too short and can be adjusted as needed.
Which TWO commands would a network engineer use to verify OSPFv2 neighbor state and adjacency issues on a Cisco IOS router? (Choose TWO.)
This command lists all OSPF neighbors and their current state (e.g., FULL, 2WAY, INIT).
Why this answer
The 'show ip ospf neighbor' command displays the state of all OSPF neighbors, while 'debug ip ospf adj' provides real-time adjacency events. 'show ip route ospf' shows routes, not neighbor states; 'show ip ospf interface' shows per-interface details but not neighbor states directly; 'show ip protocols' displays routing process info, not neighbor states.
A network engineer runs the following command to troubleshoot an IP SLA issue: R1# show ip sla monitor configuration 10 IP SLAs Monitor, Infrastructure Engine-II. Entry number: 10 Owner: Tag: Type of operation to perform: icmp-echo Target address: 192.168.1.1 Type Of Service parameter: 0x0 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Frequency (seconds): 60 Next Scheduled Start Time: Start Time already occurred Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of history intervals kept: 0 Number of history buckets kept: 15 History Statistics: Number of history Lives kept: 0 What does this output indicate?
The configuration matches these parameters.
Why this answer
This is the older 'ip sla monitor' configuration output, identical to 'ip sla configuration'. It shows an ICMP echo probe to 192.168.1.1, active status, 60-second frequency, and 5-second timeout.
A network engineer runs the following command on Router R1: R1# show ip eigrp topology summary IP-EIGRP Topology Table for AS(100)/ID(1.1.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.0.0.0/8, 1 successors, FD is 2812416, serno 10 via Summary (2812416/0), Null0 P 10.0.0.0/24, 1 successors, FD is 2172416, serno 5 via 192.168.1.2 (2172416/2812416), GigabitEthernet0/0 P 10.0.1.0/24, 1 successors, FD is 2172416, serno 6 via 192.168.1.2 (2172416/2812416), GigabitEthernet0/0 Based on this output, what is the purpose of the route 10.0.0.0/8 via Null0?
The Null0 interface indicates this is a discard route, commonly used with summarization to avoid loops.
Why this answer
The route 10.0.0.0/8 via Null0 is a summary route created by the 'summary-address' command in EIGRP, used to prevent routing loops by discarding packets that do not match more specific routes.
Which TWO actions will prevent a BGP route from being installed in the routing table (RIB) while still being present in the BGP table? (Choose TWO.)
Correct. Aggregate-address with the 'summary-only' keyword suppresses more specific routes, keeping them in BGP but not installing them in the RIB.
Why this answer
A route can be in the BGP table but not in the RIB if it is suppressed (e.g., via aggregation), if the next hop is unreachable, if it is dampened, or if it is not the best path. Setting 'table-map' with a route-map that uses 'set ip next-hop' can change the next hop but does not prevent installation. The 'maximum-paths' command affects load balancing, not installation. 'bgp bestpath igp-metric ignore' changes best path selection but does not prevent installation. 'neighbor <ip> route-map <name> out' filters outbound updates, not installation.
A network engineer notices that an SNMPv3 poll from the NMS to router R1 fails with an authentication error. The engineer has configured 'snmp-server group ADMIN v3 priv' and 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456'. The NMS is configured with the same credentials. What is the most likely cause of the failure?
Correct because SNMPv3 requires an access list on the group to allow the NMS; without it, the NMS is denied despite correct credentials.
Why this answer
The SNMPv3 user configuration must include the 'access' keyword to associate the user with an ACL that permits the NMS; without it, the default behavior may deny all access. The error indicates authentication fails, but the credentials match, so the issue is likely an access control restriction.
In a 6to4 tunnel, what is the default IPv6 prefix assigned to the tunnel interface?
The tunnel interface gets a /48 prefix based on its source IPv4 address.
Why this answer
In a 6to4 tunnel, the default IPv6 prefix assigned to the tunnel interface is 2002:IPv4-address::/48, where the IPv4 address of the tunnel source is embedded in the prefix. This is defined in RFC 3056, which specifies that the 6to4 prefix is 2002::/16, and the next 32 bits are the tunnel source's IPv4 address, resulting in a /48 prefix for the 6to4 site.
Exam trap
Cisco often tests the distinction between the 6to4 prefix range (2002::/16) and the actual prefix assigned to the tunnel interface (2002:IPv4-address::/48), leading candidates to mistakenly select the broader /16 prefix instead of the correct /48 derived from the IPv4 address.
How to eliminate wrong answers
Option A is wrong because 2002::/16 is the overall 6to4 prefix range, not the specific prefix assigned to the tunnel interface; the tunnel interface uses a /48 derived from the IPv4 address. Option C is wrong because 2001::/32 is the prefix for 6rd (IPv6 Rapid Deployment) or some tunnel broker deployments, not for 6to4 tunnels. Option D is wrong because 3ffe::/16 was part of the 6bone testing address space, which is deprecated and not used for 6to4 tunnels.
In a VRF-Lite setup using RIP, what is the default update timer value?
RIP uses a default update timer of 30 seconds.
Why this answer
RIP sends routing updates every 30 seconds by default, as defined in RFC 1058.
Which TWO commands can be used to verify the operational state and statistics of an IP SLA operation? (Choose TWO.)
Correct. This command displays detailed statistics such as RTT, packet loss, and jitter for each IP SLA operation.
Why this answer
The 'show ip sla statistics' command displays detailed statistics for all IP SLA operations, including RTT, packet loss, and jitter. The 'show ip sla configuration' command shows the configuration parameters, not real-time state. 'show track' shows the state of track objects, not the IP SLA operation directly. 'show ip sla summary' provides a one-line summary of each operation's state. 'debug ip sla trace' is a debug command, not a verification show command.
Which TWO commands can be used to verify IP SLA operations on a Cisco IOS device? (Choose TWO.)
Displays the latest statistics for each configured IP SLA operation.
Why this answer
The 'show ip sla statistics' command displays the latest statistics for each IP SLA operation, and 'show ip sla reaction-configuration' shows the threshold and reaction settings. 'show ip sla configuration' shows the configuration but not live statistics. 'show ip sla monitor' is a legacy command not used in modern IOS. 'show ip sla summary' is not a valid command.
A network engineer runs the following command to verify NetFlow data export format: R1# show flow exporter EXPORTER-1 Flow Exporter: EXPORTER-1 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 51234 DSCP: 0x00 TTL: 255 Output Features: Used Export Protocol: NetFlow Version 9 Template Data Export Timeout: 1800 seconds Option Data Export Timeout: 1800 seconds Option Data Configured: application-table sub-application-table application-attributes What does this output indicate?
The exporter uses NetFlow v9 and includes option data for application-table, sub-application-table, and application-attributes, which are used with NBAR.
Why this answer
The output shows the configuration of a Flexible NetFlow exporter. It uses UDP to send NetFlow version 9 data to 192.168.1.100 on port 2055. It also exports option data like application tables and attributes, which are used for NBAR-based application recognition.
A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection I - IKE Initiatior, R - IKE Responder C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 D What does this output indicate?
The SA is ACTIVE with the specified parameters: aes encryption, sha hash, md5 auth, DH group 2.
Why this answer
The output from 'show crypto isakmp sa detail' displays an IKE Phase 1 (ISAKMP) security association with status 'ACTIVE', indicating successful Phase 1 negotiation. The 'Encr' column shows 'aes', 'Hash' shows 'sha', and 'Auth' shows 'md5', confirming AES encryption and SHA hash are used. This matches option A, which correctly identifies an established IKE Phase 1 SA with those parameters.
Exam trap
Cisco often tests the distinction between IKE Phase 1 and Phase 2 SAs, and candidates may confuse 'show crypto isakmp sa' (Phase 1) with 'show crypto ipsec sa' (Phase 2), leading them to incorrectly select option C.
How to eliminate wrong answers
Option B is wrong because the status is 'ACTIVE', not failed; MD5 is used for authentication (Auth column), not as a hash algorithm, and while MD5 is weak, it does not cause a failure here. Option C is wrong because this command shows IKE Phase 1 (ISAKMP) SAs, not Phase 2 (IPsec) SAs; Phase 2 is verified with 'show crypto ipsec sa'. Option D is wrong because the 'I-VRF' column is empty and the 'Cap.' column shows 'D' (Dead Peer Detection), but there is no 'I' (Initiator) or 'R' (Responder) flag in the output; the 'C-id' and other fields do not indicate the initiator role.
Which TWO statements about BGP route reflectors are true when troubleshooting route propagation issues? (Choose TWO.)
This is a standard behavior of route reflectors to reduce IBGP peering.
Why this answer
Route reflectors pass routes from non-client peers to all other peers (including other clients and non-clients) without requiring full mesh, but they do not modify the AS_PATH. The cluster ID is used to prevent loops within a cluster. Option B is incorrect because route reflectors do not prepend the AS_PATH.
Option D is incorrect because clients must peer only with the route reflector, not with each other. Option E is incorrect because the next-hop is not changed by default.
A network engineer is troubleshooting a router that is not sending SNMP traps to the NMS server at 10.1.1.100. The SNMP configuration includes 'snmp-server enable traps' and 'snmp-server host 10.1.1.100 version 2c public'. The engineer can ping the NMS server from the router, and 'show snmp' indicates SNMP is enabled. What is the most likely cause of the missing traps?
Without 'snmp-server trap-source', the router uses the outgoing interface IP, which may not match the NMS's expected source or may be unreachable.
Why this answer
The router has SNMP traps enabled and a host configured, but the 'snmp-server trap-source' command is missing, causing traps to be sourced from an interface that may not be reachable or may have an incorrect source IP that the NMS expects.
A network engineer runs the following command on Router R8: R8# show logging | include %LDP-5-NBRCHG *Mar 1 00:01:10.123: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:02:20.456: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN *Mar 1 00:03:30.789: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is UP *Mar 1 00:04:40.012: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN Based on this output, what is the most likely problem?
LDP relies on IGP to establish and maintain neighbors; if the IGP route is flapping, LDP will also flap.
Why this answer
The output shows LDP neighbor 10.0.0.2 flapping between UP and DOWN. This indicates instability in the LDP session, often due to a flapping IGP route (since LDP depends on IGP reachability), or a misconfiguration of LDP parameters such as hello interval or hold time.
An engineer configures BFD for BGP on a route reflector client. The BFD session between the client and the route reflector is up, but the client does not receive routes from the route reflector. The engineer verifies that the BGP configuration is correct and that the client is sending routes. What is the most likely cause?
Correct. Without 'next-hop-self', the route reflector advertises routes with the original next hop, which may not be reachable by the client.
Why this answer
In a route reflector topology, the route reflector does not advertise routes learned from one client to another client unless the 'next-hop-self' command is configured. BFD does not affect this behavior. If the route reflector is not using 'next-hop-self', the client may not have a route to the next hop, causing the route to be hidden.
Drag and drop the steps to create and register an EEM applet for syslog events into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
The correct order begins with entering global configuration mode, then defining the EEM applet and its syslog trigger, followed by configuring the action to execute, and finally exiting configuration mode to register the applet.
Conflicts indicate duplicate IP usage on the network.
Why this answer
The `show ip dhcp conflict` command displays IP addresses that the DHCP server has detected as already in use on the network. The detection methods (Ping and Gratuitous ARP) confirm that another device is responding to these addresses, indicating a conflict. This output directly shows that the DHCP server is functioning but has identified conflicts, meaning another host is using the same IP addresses.
Exam trap
Cisco often tests the distinction between a DHCP server that is working but detecting conflicts versus a server that is failing to respond or misconfigured, leading candidates to incorrectly assume the server is broken when it is actually performing its conflict detection duties correctly.
How to eliminate wrong answers
Option A is wrong because conflicts are not automatically resolved; the DHCP server logs them and will not lease those addresses until the conflict is cleared manually or via timeout. Option C is wrong because the output shows the DHCP server is actively detecting conflicts, which requires it to be responding to client requests and performing conflict detection. Option D is wrong because overlapping subnets would cause pool exhaustion or misallocation, but the output specifically shows address conflicts detected via Ping and ARP, not a pool configuration issue.
UDP port 514 is the well-known port for syslog.
Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
IKEv2 negotiation begins with Phase 1 (IKE_SA_INIT) to establish a secure channel, followed by IKE_AUTH to authenticate and exchange identities. Phase 2 (CREATE_CHILD_SA) then negotiates the IPsec SA, and the final step installs the IPsec security associations into the data plane.
A network engineer redistributes OSPF routes into EIGRP on Router R1. After redistribution, Router R3, which is an EIGRP neighbor of R1, starts experiencing routing loops for the 192.168.1.0/24 network. R1 configuration: router eigrp 100, redistribute ospf 1 metric 10000 100 255 1 1500, route-map RM-OSPF-to-EIGRP. The route-map sets tag 100. R3 shows: 'show ip route 192.168.1.0' points to R1, but traceroute shows packets looping between R1 and R3. What is the root cause?
The route-map sets a tag, but without a corresponding filter on the OSPF side (e.g., deny routes with tag 100), the route can be redistributed back into OSPF, creating a loop.
Why this answer
The redistribution injects OSPF routes into EIGRP with a metric that may be suboptimal. However, the key issue is that the route-map sets a tag, but without filtering, the redistributed routes may be re-advertised back into OSPF if mutual redistribution is configured elsewhere, causing a loop. In this case, the loop occurs because R1 redistributes into EIGRP, and R3, which may also have OSPF, redistributes the route back, creating a feedback loop.
The fix is to use route tagging and filtering to prevent redistribution loops.
A large enterprise network is experiencing intermittent connectivity failures for VoIP traffic traversing a DMVPN hub-and-spoke topology. Hub router R1 has the following relevant configuration: ip nat inside source list 100 interface Tunnel0 overload. Spoke router R2 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.1 203.0.113.1. VoIP calls drop after 30 seconds. What is the root cause?
Reducing the NAT timeout for UDP ensures that stale entries are cleared quickly, preventing mismatches with VoIP session refreshes.
Why this answer
The issue is that PAT overload on the DMVPN tunnel interface causes NAT entries to be created for VoIP traffic, but the default NAT timeout (24 hours for TCP, 300 seconds for UDP) does not match the DMVPN tunnel keepalive or VoIP session timers. When the tunnel rekeys or the VoIP session refreshes, the NAT entry may be stale, causing asymmetric routing or dropped packets. The correct fix is to adjust NAT timeouts or use route-map to exempt VoIP traffic from NAT.
Practice 300-410 by domain
Target a specific domain to shore up weak areas.